Fix DKIM verify when used with CHUNKING. Bug 2016

[exim.git] / src / src / tls-gnu.c

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 383a00f4ededfc6b0aee181d9815f15f76259099..7b16fc811887724a641d75deaaac023a668e8662 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -13,7 +13,7 @@ tls.c when USE_GNUTLS has been set.
 
 The code herein is a revamp of GnuTLS integration using the current APIs; the
 original tls-gnu.c was based on a patch which was contributed by Nikos
-Mavroyanopoulos.  The revamp is partially a rewrite, partially cut&paste as
+Mavrogiannopoulos.  The revamp is partially a rewrite, partially cut&paste as
 appropriate.
 
 APIs current as of GnuTLS 2.12.18; note that the GnuTLS manual is for GnuTLS 3,
@@ -493,8 +493,7 @@ else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
   }
 else if (exp_tls_dhparam[0] != '/')
   {
-  m.data = US std_dh_prime_named(exp_tls_dhparam);
-  if (m.data == NULL)
+  if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
     return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL);
   m.size = Ustrlen(m.data);
   }
@@ -548,8 +547,7 @@ if (use_file_in_spool)
 /* Open the cache file for reading and if successful, read it and set up the
 parameters. */
 
-fd = Uopen(filename, O_RDONLY, 0);
-if (fd >= 0)
+if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
   {
   struct stat statbuf;
   FILE *fp;
@@ -624,8 +622,7 @@ if (rc < 0)
         CS filename, NULL);
 
   temp_fn = string_copy(US "%s.XXXXXXX");
-  fd = mkstemp(CS temp_fn); /* modifies temp_fn */
-  if (fd < 0)
+  if ((fd = mkstemp(CS temp_fn)) < 0)  /* modifies temp_fn */
     return tls_error(US"Unable to open temp file", strerror(errno), NULL);
   (void)fchown(fd, exim_uid, exim_gid);   /* Probably not necessary */
 
@@ -675,23 +672,19 @@ if (rc < 0)
     }
   m.size = sz; /* shrink by 1, probably */
 
-  sz = write_to_fd_buf(fd, m.data, (size_t) m.size);
-  if (sz != m.size)
+  if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
     {
     free(m.data);
     return tls_error(US"TLS cache write D-H params failed",
         strerror(errno), NULL);
     }
   free(m.data);
-  sz = write_to_fd_buf(fd, US"\n", 1);
-  if (sz != 1)
+  if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
     return tls_error(US"TLS cache write D-H params final newline failed",
         strerror(errno), NULL);
 
-  rc = close(fd);
-  if (rc)
-    return tls_error(US"TLS cache write close() failed",
-        strerror(errno), NULL);
+  if ((rc = close(fd)))
+    return tls_error(US"TLS cache write close() failed", strerror(errno), NULL);
 
   if (Urename(temp_fn, filename) < 0)
     return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
@@ -1730,7 +1723,7 @@ Arguments:
 
 Returns:           OK on success
                    DEFER for errors before the start of the negotiation
-                   FAIL for errors during the negotation; the server can't
+                   FAIL for errors during the negotiation; the server can't
                      continue running.
 */
 
@@ -1834,13 +1827,18 @@ if (rc != GNUTLS_E_SUCCESS)
   until the server times out. */
 
   if (sigalrm_seen)
+    {
     tls_error(US"gnutls_handshake", "timed out", NULL);
+    gnutls_db_remove_session(state->session);
+    }
   else
     {
     tls_error(US"gnutls_handshake", gnutls_strerror(rc), NULL);
-    gnutls_alert_send_appropriate(state->session, rc);
+    (void) gnutls_alert_send_appropriate(state->session, rc);
+    gnutls_deinit(state->session);
+    gnutls_certificate_free_credentials(state->x509_cred);
     millisleep(500);
-    shutdown(fileno(smtp_out), SHUT_WR);
+    shutdown(state->fd_out, SHUT_WR);
     for (rc = 1024; fgetc(smtp_in) != EOF && rc > 0; ) rc--;   /* drain skt */
     (void)fclose(smtp_out);
     (void)fclose(smtp_in);
@@ -2128,11 +2126,13 @@ if (!state->tlsp || state->tlsp->active < 0) return;  /* TLS was not active */
 
 if (shutdown)
   {
-  DEBUG(D_tls) debug_printf("tls_close() from '%s': shutting down TLS\n");
+  DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
   gnutls_bye(state->session, GNUTLS_SHUT_WR);
   }
 
 gnutls_deinit(state->session);
+gnutls_certificate_free_credentials(state->x509_cred);
+
 
 state->tlsp->active = -1;
 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
@@ -2158,12 +2158,12 @@ Only used by the server-side TLS.
 
 This feeds DKIM and should be used for all message-body reads.
 
-Arguments:  none
+Arguments:  lim                Maximum amount to read/bufffer
 Returns:    the next character or EOF
 */
 
 int
-tls_getc(void)
+tls_getc(unsigned lim)
 {
 exim_gnutls_state_st *state = &state_server;
 if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
@@ -2175,7 +2175,7 @@ if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
 
   if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
   inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
-    ssl_xfer_buffer_size);
+    MIN(ssl_xfer_buffer_size, lim));
   alarm(0);
 
   /* Timeouts do not get this far; see command_timeout_handler().
@@ -2202,6 +2202,8 @@ if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
     receive_smtp_buffered = smtp_buffered;
 
     gnutls_deinit(state->session);
+    gnutls_certificate_free_credentials(state->x509_cred);
+
     state->session = NULL;
     state->tlsp->active = -1;
     state->tlsp->bits = 0;
@@ -2211,7 +2213,7 @@ if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
     state->tlsp->peercert = NULL;
     state->tlsp->peerdn = NULL;
 
-    return smtp_getc();
+    return smtp_getc(lim);
     }
 
   /* Handle genuine errors */